<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

5 Disaster Recovery Policy (DRP) Best Practices to Know

As you prepare your company to endure and recover from a disaster, two primary information technology policies should be in place: business continuity and disaster recovery.  

These two policies help you plan for – and recover from – adverse events, but the difference lies in the goals of each policy: business continuity focuses on returning your business to normalcy, while disaster recovery details the minimum necessary functions for your business to survive.

The first step in this policy is to define the critical processes and assets necessary for you to maintain minimum business functions after a disaster.  Here are five disaster recovery best practices to consider.

5 Disaster Recovery Policy (DRP) Best Practices

1. Prepare for physical disasters

This type of disaster makes sense to prepare for first. It forces you to ask some tough questions, such as “What would we do if our physical building was gone – either from some natural disaster or an act of God?  Can employees be relocated to another location or work from home?”

Whatever preparations you put in place, don’t just think of physical disasters as an “all or nothing” event.  If your whole building goes away, that is a different set of problems than if a plumbing issue forces your employees to evacuate for a few days.

If you don’t currently have StrongDM or an option that employees can use to access network resources, now is a good time to consider it.  It might also be a good opportunity to have a backup office space in place. Several companies offer alternative workspaces you can have on retainer – complete with desks, computer hardware, and phone/Internet access – so your business can continue running.

2. Protect against cyber disasters

Cyber disasters typically include major incidents such as ransomware attacks and data loss from breaches.  To protect against these, your layers of security should include a firewall with IDS/IPS and solid host-based endpoint protection.  Also, consider that according to the Verizon Data Breach Investigations Report, a much more likely cyber risk is an employee clicking a malicious link.  

Make sure your cyber disaster preparations also include training for your users – both at hire and throughout the year – on relevant security topics. A good data backup system is also critical, so ensure that backups are taken regularly and test the restore process often as well.  Refer to our post on System Availability for best practices on backing up your infrastructure.

3. Redundancy is critical

You have likely spent some serious dollars on making sure you have a well-designed infrastructure, and in a disaster scenario, redundancy is your friend.  Look at all the components of your network design and talk through how your infrastructure would be affected if one piece was missing.

For example, if one of your core switches flakes out, can critical network traffic failover to another switch?  Do you have another firewall ready to go if the primary goes down? How about your wireless access points – do you have enough coverage throughout your offices to keep employees working if one goes out? And what about critical information systems, such as Active Directory?  Have you deployed enough domain controllers – and in the right locations – so that users can always authenticate no matter where they are?

Ultimately, your contingency planning process needs to eliminate any single points of failure, establish who owns each asset, and provide multiple ways to get in touch with that person or team.

If you plan to configure resources in a distributed infrastructure to authenticate against Active Directory, you know the repetitive and manual work it will require. A proxy-based control plane can help you eliminate complicated configurations. StrongDM integrates with Active Directory, or any other directory service or single sign-on provider, to authenticate users and securely route traffic to any destination resource, regardless of where it’s hosted.

4. Assign responsibilities

In the event of a disaster, there will be plenty of confusion and commotion.  To reduce some of that stress, you should preemptively authorize and assign key tasks to team members. That way, in the heat of the moment, everybody knows their individual responsibilities, as well as who the point people are for further questions.  

At a minimum, you want to delegate people who will lead initiatives such as purchasing new equipment, coordinating alternative office space, and communicating with senior management, clients, and the press.

5. Test and review your disaster recovery plan

Backups are great, but being able to restore the data is even better.  In other words, a good rule of thumb is to test the disaster plan on a regular basis - and ideally not when you’re in the middle of a disaster.  

Scheduled tabletop exercises are a great way to simulate a business threat, and then work through how your company would respond. These exercises should include representation from all business units so everyone is part of the conversation, and you might also want to engage a third-party service provider to help coach you through the first few recovery tests.  This type of testing will help you continuously identify gaps in your plan, and then remediate them.

Without a doubt, an IT disaster recovery plan is a ton of work, and it’s tempting to leave it on the back burner and say, “Oh that won’t happen to us.”  But by designing a solid plan and putting in the time upfront, you will be well-poised to respond to the disaster, handle it effectively with your team, and recover as quickly and completely as possible.  

Remember that an IT disaster recovery and business continuity plan is just a piece of your larger information security strategy, which should include a risk assessment and business impact analysis (BIA) conducted on an annual basis.

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2024 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.